From: Emanuele Giuseppe Esposito <eesposit@xxxxxxxxxx> redhat/dracut-virt.conf: add systemd-veritysetup module Upstream Status: RHEL-Only This driver, together with a specific kernel cmdline and separate partition containing the verification hash produced by veritysetup, enables root disk integrity protection for UKIs. Also add the overlay driver to allow systemd.volatile=overlay to mount an overlayfs on top of /. This will make the root disk again writable, but all changes will be ephemeral. Signed-off-by: Emanuele Giuseppe Esposito <eesposit@xxxxxxxxxx> diff --git a/redhat/dracut-virt.conf b/redhat/dracut-virt.conf index blahblah..blahblah 100644 --- a/redhat/dracut-virt.conf +++ b/redhat/dracut-virt.conf @@ -20,6 +20,9 @@ dracutmodules+=" virtiofs " # modules: use sysext images (see 'man systemd-sysext') dracutmodules+=" systemd-sysext " +# modules: root disk integrity protection +dracutmodules+=" systemd-veritysetup " + # drivers: virtual buses, pci drivers+=" virtio-pci virtio-mmio " # qemu-kvm drivers+=" hv-vmbus pci-hyperv " # hyperv @@ -34,5 +37,8 @@ drivers+=" xen-blkfront " # xen # root encryption drivers+=" dm_crypt " +# root disk integrity protection +drivers+=" dm_verity overlay " + # filesystems filesystems+=" vfat ext4 xfs overlay " -- https://gitlab.com/cki-project/kernel-ark/-/merge_requests/3212 -- _______________________________________________ kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue